A safer Internet of Things? Risks and future cybersecurity laws

As the technology sector matures, the risks that attach to personal computing are now more manageable. The market for all smart devices (Internet of Things and other consumer smart products) has accelerated during the pandemic but concerns are growing with respect to their security. Many IoT products may be significantly unsafe because manufacturers have often not considered the security aspects.

What is the Internet of Things?

The “Internet of Things” or “IoT” relates to smart devices that interact with environments and operate in a “smart” way without the direct intervention of human beings. There is no precise definition as new IoT and other smart consumer items are being developed all the time. Typical examples smoke detectors that connect with alarm and door locks, bespoke base stations to which multiple devices may be connected such as refrigerators and washing machines, smart speakers and TVs, self-driving vehicles, wearable health trackers and baby monitors that connect to smart toys.

Devices such as these and many others will continue to be heavily sold to consumers who appreciate the personal convenience as well as the fashion cachet of owning the latest devices. The global market for IoT devices could be worth as much as $1.66 trillion by 2025.

How IoT issues will impact relevant technology industries

There is now growing convergence between IoT and Artificial Intelligence (AI) as they are integrated further by both startups and multinationals. Microsoft, Oracle and Amazon are using AI to leverage IoT applications in sensors that can process and send large volumes of “smart” data to other internet-enabled devices. Operational problems and potential equipment downtime can be anticipated by the technology automatically scheduling appropriate maintenance. In the energy and aviation industries for example, this can result in significant cost savings. AI/IoT convergences will underpin the effectiveness of emergent technology sectors such as robotics and driverless vehicles as well as in the management of mission critical equipment.

The dangers of using such new technology are considerable given the potential for malicious disruption or data abstraction. Items that are in continual and automatic communication with the internet are open to malware, ransomware, and Distributed Denial of Service (DDoS) attacks. These can disable wider systems catastrophically. The National Cyber Security Centre (NCSC) recently issued guidance to local councils entering into “smart city” agreements with overseas state-based entities that give them too much control over critical national infrastructure such as transport management and CCTV platforms. There needs also to be physical security with respect to commercial applications which may be situated in remote locations or remain uninspected for long periods.The very recent Colonial Pipeline and last year’s SolarWinds ransomware attacks both by suspected Russian actors are cases in point.

Consumers and the Internet of Things

Cyberattacks may reveal sensitive personal data about the owners of consumer equipment to malevolent actors. A hacked device used to turn on domestic heating and lighting remotely could easily disable a smart lock, allowing burglars to enter a home. Smart home devices can expose login credentials; wearables such as fitness trackers with Bluetooth remain visible after they are first paired.

As IoT devices proliferate, the risk of an increase in the “attack surface” exposes the domestic environment to the same risks of disruption and leakage of data such as personal location information. There is a widespread lack of consumer awareness of functionalities and the danger of exposure to social engineering attacks.

But the current problems can be more often blamed on manufacturers and importers that provide devices with hard-coded passwords, a lack of secure update mechanisms and unpatched software.

Government action

IoT apps have developed to their present levels of complexity too fast for security measures to be built in as standard. However, market forces will no doubt improve security for businesses using IoT for critical infrastructure. Various international standards also exist such as ISO/IEC 27000. There has been compliance with the guidance set out in the Code of Practice relating to the security of consumer IoT, but not enough.

The weaknesses that give rise to consumer vulnerability have remained a subject of concern to the UK government since 2018 when the Department for Digital, Culture, Media & Sport (DCMS) published the “Secure by Design”, which relates to the improvement of cybersecurity in consumer IoT devices. In addition, the DCMS also promoted a Digital Charter in response to general threats and opportunities brought about by new technologies and set up the NCSC as the central body policing cybersecurity at the national level.

Proposals for legislation

Last year, the DCMS called for views on possible proposals for regulating consumer product security. It makes for interesting reading. Given the sorry state of IoT product security, the government has announced an intention to legislate, probably through flexible regulations (statutory instruments) to establish a cybersecurity “baseline” for items including smartphones, laptops and personal computers as well as more specialist IoT devices.

Proposed enforceable security requirements will include:

  • a ban on universal default passwords in consumer IoT products
  • implementation of a transparent means of managing reports of vulnerabilities which gives feedback to the user
  • transparency as to how long the device will receive security updates.

The obligations that may be enforced will be aimed at “producers” of relevant devices. As in the General Product Safety Regulations 2005, this term is intended to cover manufacturers; given how many devices are made overseas, importers and representatives in the UK of foreign companies as well. As a further safeguard, a “duty of care” requirement will be imposed on “distributors” who will be conventional retailers as well as providers of online marketplaces for the sale of IoT devices.

The setting up of an enforcement body that would receive reports of items alleged not to fulfil the “security by design” criteria is a likely measure that invites comparison with GDPR-based data protection legislation. Such body would have the power to impose:

  • compliance measures and sanctions, ranging from notices designed to promote voluntary compliance
  • enforced compliance with formal undertakings imposed
  • court orders compelling destruction of non-compliant goods
  • administrative penalties which could be fines of up to 4% of the annual worldwide turnover of the producer in the preceding year.

Conclusions and recommendations

There is little doubt that some IoT devices are in the early stages of development, most especially with respect to inbuilt security. The danger from insecure smart products is twofold:

  • botnets attacking or disabling multiple IoT devices and causing consumer distress and business disruption
  • the harvesting of personal data (serious data breaches may have catastrophic legal and reputational consequences on businesses that collect consumer personal data on a large scale).

In the consumer products sector, it’s likely that better informed purchasers, market forces and the likelihood of impending legislation will result in manufacturers building in “security by design” very soon. Importers and retailers will be demanding this as a condition of making products available for purchase in the UK. The sanctions that may be put in place if self-regulation does not go far enough may well be very far-reaching.

Providers of IoT devices in the UK will now have little excuse not to make cybersecurity a high priority. They should be working to this end without delay and not waiting until the anticipated legislation is put in place. They should be proactive and publicise their level of commitment to in-built security in the IoT equipment they sell.